FIM CM and Custom Subject Policy Module

Forefront Identity Manager Certificate Management (FIM CM) provides very useful function – it can create certificate with predefined subject, specified by the Administrator and enforced centrally on all certificates issued via FIM CM. Most PKI implementations are governed by Certificate Policy (CP) and applicable Certificate Practice Statement (CPS). Among many things, the CPS defines what type of Subject will be included in each issued certificate. They usually come in two different formats:

1. Domain Based name (something like this cn=servername, ou=servers, dc=domain, dc=local)
2. Geopolitical name (something like cn=webapp, ou=webapps, o=my cool company, c=us)

With Microsoft ADCS, if certificates enrolled via auto-enrollment mechanism they will get subject name from AD and it will be formatted in Domain Based format.

The geopolitical name is usually implemented in manually enrolled certificates. In most cases, the requester would have to generate a custom CSR which will have specified subject name in it. This approach is prone to typing errors, syntax errors and does not allow for an easy approval workflow. Also, if you are familiar with the common fields that ADCS Web Enrolment pages, IIS offline request and similar enrollment system, you’ll know that those fields are preset and does not allow easy customization. Usually, they’ll ask you to provide e-mail, state, organization, organizational unit, city and country/region. what if you don’t want any of those in your subject name and you don’t want give this as a choice to your certificate subscribers at all?

FIM CM Custom Subject Policy Module comes to the rescue. It is installed on ADCS and works together with FIM CM enrollment policy.

You can find details on how to install FIM CM and Custom Subject name at https://technet.microsoft.com/en-us/library/ee534914(WS.10).aspx

Lets take a look at a simple example. We want to issue a cert with subject name that looks like this: cn=mywebapp, ou=webapps, o=my cool company, c=us, or if you look inside the cert, like this:

cn=mywebapp
ou=webapps
o=my cool company
c=us

In this naming convention we want to make sure that subscriber can provide the name of their app in the request, but other information is static and subscriber does not need to see or know where it comes from.

We’ll assume that you already installed ADCS and FIM CM. Two things need to happen to build custom subject name:

• First, you’ll need to install FIM CM Custom Subject module on ADCS and insert the following line in it:

cn={Clm!NameOfTheApplication},ou=webapps,o=my cool company,c=us

it is very important to not type any spaces between any of the tags and “=” symbols. If you do, the subject name will not be created and ADCS nor FIM CM will not tell you why it is not created. Believe me, I had spaces there, and nothing worked and nowhere I could identify why it was not working. Very frustrating.

• Second, on your enrollment policy you’ll need to create custom data entry. Name it “NameOfTheApplication” – it must match the name you specified in Custom Subject Policy module on CA. Make sure, to specify that data must be provided by the user and make it a required data field.

When subscriber enrolls for a certificates via FIM CM portal, the first screen will ask them to provide NameOfTheApplication, here they will type the name and proceed to next screen. Next they will get actual certificate from ADCS and its subject name will be formatted the way we want it.